Method, apparatus, and program to forward and verify multiple digital signatures in electronic mail

ABSTRACT

A mechanism is provided for augmenting the mail header of a message with a list of digital signatures representing the chain of contributors to the message. The augmented header may also encode the actual contributions corresponding to each digital signature. The list is appended every time a message is forwarded. If a message has a portion with no corresponding digital signature or if one or more of the digital signatures is not trusted, the user may handle the message accordingly. Furthermore, a mail server or client may discard a message if the number of digital signatures exceeds a threshold to filter out unwanted messages, such as e-mail chain letters.

BACKGROUND OF THE INVENTION

[0001] 1. Technical Field

[0002] The present invention relates to network data processing systemsand, in particular, to electronic mail. Still more particularly, thepresent invention provides a method, apparatus, and program forverifying multiple digital signatures in mail forwarding.

[0003] 2. Description of Related Art

[0004] With the increasing popularity of computers, paper transactionsare gradually being replaced by digital formats, such as e-mail andelectronic data interchange (EDI). While the legal framework toestablish and support the validity of digital transactions are evolving,it is clear that digital signatures will play a pivotal role, especiallyin the area of non-repudiation in the near future. Therefore, it isessential that important documents are digitally signed for them tosupport the framework alluded to above.

[0005] In this context, e-mail plays a pivotal role in communications,both in the corporate and noncorporate worlds. Since the content ofe-mail can evoke a range of actions, such as litigation, it is importantto assign responsibility and the non-repudiation properties to e-mailtransmissions. Furthermore, with the spread of viruses and spywarethrough electronic transmissions, improved security and accountabilityis needed. Under current implementations, an e-mail message typicallybears the digital signature of the sender. However, in the case offorwarded e-mail, there is no way to attach easily enforceablenon-repudiation properties and responsibilities to the chain ofrecipients. In essence, the sender becomes responsible for the entirecontent in case of disputes under the current implementations. Thisimplies that the sender has to always peruse through the entire chainbefore forwarding an e-mail message. This may be time consuming.

[0006] Therefore, it would be advantageous to provide a mechanism forthe insertion and retention of multiple digital signatures correspondingto contributing authors in forwarded e-mail.

SUMMARY OF THE INVENTION

[0007] The present invention provides a mechanism for augmenting themail header of a message with a list of digital signatures representingthe chain of contributors to the message. The augmented header may alsoencode the actual contributions corresponding to each digital signature.For example, when a user forwards a message and makes a contribution,the beginning bytes and length of the contribution may be associatedwith that user's digital signature in the header. Similarly, anattachment filename may be associated with a user that attaches a filein a forwarded message. The list is appended every time a message isforwarded. If a message has a portion with no corresponding digitalsignature or if one or more of the digital signatures is not trusted,the user may handle the message accordingly. For example, a user maychoose to delete a message without opening if a file is attached by anuntrusted user. Furthermore, a mail server or client may discard amessage if the number of digital signatures exceeds a threshold tofilter out unwanted messages, such as e-mail chain letters.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008] The novel features believed characteristic of the invention areset forth in the appended claims. The invention itself, however, as wellas a preferred mode of use, further objectives and advantages thereof,will best be understood by reference to the following detaileddescription of an illustrative embodiment when read in conjunction withthe accompanying drawings, wherein:

[0009]FIG. 1 depicts a pictorial representation of a network of dataprocessing systems in which the present invention may be implemented;

[0010]FIG. 2 is a block diagram of a data processing system that may beimplemented as a server in accordance with a preferred embodiment of thepresent invention;

[0011]FIG. 3 is a block diagram illustrating a data processing system inwhich the present invention may be implemented;

[0012]FIGS. 4A and 4B are pictorial representations of example networkdata processing systems in accordance with a preferred embodiment of thepresent invention;

[0013]FIG. 5 is a flowchart illustrating the operation of a mail clientsending a message in accordance with a preferred embodiment of thepresent invention;

[0014]FIG. 6 is a flowchart illustrating the operation of a mail clientsending a message in accordance with a preferred embodiment of thepresent invention;

[0015]FIG. 7 is a flowchart depicting the operation of a mail clientreceiving a message in accordance with a preferred embodiment of thepresent invention; and

[0016]FIG. 8 is a flowchart illustrating the operation of a process forfiltering out unwanted messages in accordance with a preferredembodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0017] With reference now to the figures, FIG. 1 depicts a pictorialrepresentation of a network of data processing systems in which thepresent invention may be implemented. Network data processing system 100is a network of computers in which the present invention may beimplemented. Network data processing system 100 contains a network 102,which is the medium used to provide communications links between variousdevices and computers connected together within network data processingsystem 100. Network 102 may include connections, such as wire, wirelesscommunication links, or fiber optic cables.

[0018] In the depicted example, server 104 is connected to network 102along with storage unit 106. In addition, clients 108, 110, and 112 areconnected to network 102. These clients 108, 110, and 112 may be, forexample, personal computers or network computers. In the depictedexample, server 104 provides data, such as boot files, operating systemimages, and applications to clients 108-112. Clients 108, 110, and 112are clients to server 104. Network data processing system 100 mayinclude additional servers, clients, and other devices not shown. In thedepicted example, network 102 represents the Internet, a worldwidecollection of networks and gateways that use the TCP/IP suite ofprotocols to communicate with one another. At the heart of the Internetis a backbone of high-speed data communication lines between major nodesor host computers, consisting of thousands of commercial, government,educational and other computer systems that route data and messages. Ofcourse, network data processing system 100 also may be implemented as anumber of different types of networks, such as for example, an intranet,a local area network (LAN), or a wide area network (WAN). FIG. 1 isintended as an example, and not as an architectural limitation for thepresent invention.

[0019] Referring to FIG. 2, a block diagram of a data processing systemthat may be implemented as a server, such as server 104 in FIG. 1, isdepicted in accordance with a preferred embodiment of the presentinvention. Data processing system 200 may be a symmetric multiprocessor(SMP) system including a plurality of processors 202 and 204 connectedto system bus 206. Alternatively, a single processor system may beemployed. Also connected to system bus 206 is memory controller/cache208, which provides an interface to local memory 209. I/O bus bridge 210is connected to system bus 206 and provides an interface to I/O bus 212.Memory controller/cache 208 and I/O bus bridge 210 may be integrated asdepicted.

[0020] Peripheral component interconnect (PCI) bus bridge 214 connectedto I/O bus 212 provides an interface to PCI local bus 216. A number ofmodems may be connected to PCI local bus 216. Typical PCI busimplementations will support four PCI expansion slots or add-inconnectors. Communications links to network computers 108-112 in FIG. 1may be provided through modem 218 and network adapter 220 connected toPCI local bus 216 through add-in boards.

[0021] Additional PCI bus bridges 222 and 224 provide interfaces foradditional PCI local buses 226 and 228, from which additional modems ornetwork adapters may be supported. In this manner, data processingsystem 200 allows connections to multiple network computers. Amemory-mapped graphics adapter 230 and hard disk 232 may also beconnected to I/O bus 212 as depicted, either directly or indirectly.

[0022] Those of ordinary skill in the art will appreciate that thehardware depicted in FIG. 2 may vary. For example, other peripheraldevices, such as optical disk drives and the like, also may be used inaddition to or in place of the hardware depicted. The depicted exampleis not meant to imply architectural limitations with respect to thepresent invention.

[0023] The data processing system depicted in FIG. 2 may be, forexample, an IBM e-Server pSeries system, a product of InternationalBusiness Machines Corporation in Armonk, N.Y., running the AdvancedInteractive Executive (AIX) operating system or LINUX operating system.

[0024] With reference now to FIG. 3, a block diagram illustrating a dataprocessing system is depicted in which the present invention may beimplemented. Data processing system 300 is an example of a clientcomputer. Data processing system 300 employs a peripheral componentinterconnect (PCI) local bus architecture. Although the depicted exampleemploys a PCI bus, other bus architectures such as Accelerated GraphicsPort (AGP) and Industry Standard Architecture (ISA) may be used.Processor 302 and main memory 304 are connected to PCI local bus 306through PCI bridge 308. PCI bridge 308 also may include an integratedmemory controller and cache memory for processor 302. Additionalconnections to PCI local bus 306 may be made through direct componentinterconnection or through add-in boards. In the depicted example, localarea network (LAN) adapter 310, SCSI host bus adapter 312, and expansionbus interface 314 are connected to PCI local bus 306 by direct componentconnection. In contrast, audio adapter 316, graphics adapter 318, andaudio/video adapter 319 are connected to PCI local bus 306 by add-inboards inserted into expansion slots. Expansion bus interface 314provides a connection for a keyboard and mouse adapter 320, modem 322,and additional memory 324. Small computer system interface (SCSI) hostbus adapter 312 provides a connection for hard disk drive 326, tapedrive 328, and CD-ROM drive 330. Typical PCI local bus implementationswill support three or four PCI expansion slots or add-in connectors.

[0025] An operating system runs on processor 302 and is used tocoordinate and provide control of various components within dataprocessing system 300 in FIG. 3. The operating system may be acommercially available operating system, such as Windows 2000, which isavailable from Microsoft Corporation. An object oriented programmingsystem such as Java may run in conjunction with the operating system andprovide calls to the operating system from Java programs or applicationsexecuting on data processing system 300. “Java” is a trademark of SunMicrosystems, Inc. Instructions for the operating system andapplications or programs are located on storage devices, such as harddisk drive 326, and may be loaded into main memory 304 for execution byprocessor 302.

[0026] Those of ordinary skill in the art will appreciate that thehardware in FIG. 3 may vary depending on the implementation. Otherinternal hardware or peripheral devices, such as flash ROM (orequivalent nonvolatile memory) or optical disk drives and the like, maybe used in addition to or in place of the hardware depicted in FIG. 3.Also, the processes of the present invention may be applied to amultiprocessor data processing system.

[0027] As another example, data processing system 300 may be astand-alone system configured to be bootable without relying on sometype of network communication interface, whether or not data processingsystem 300 comprises some type of network communication interface. As afurther example, data processing system 300 may be a Personal DigitalAssistant (PDA) device, which is configured with ROM and/or flash ROM inorder to provide nonvolatile memory for storing operating system filesand/or user-generated data.

[0028] The depicted example in FIG. 3 and above-described examples arenot meant to imply architectural limitations. For example, dataprocessing system 300 also may be a notebook computer or hand heldcomputer in addition to taking the form of a PDA. Data processing system300 also may be a kiosk or a Web appliance.

[0029] Returning to FIG. 1, server 104 may be a message server, such asan e-mail server. Clients 108, 110, 112 may transmit messages to oneanother through server 104. More particularly, the messages may beforwarded e-mail messages. For example, client 108 may send an e-mailmessage to client 110 and client 110 may forward the e-mail message toclient 112. While FIG. 1 shows one server, the network configuration mayinclude more servers. In fact, each client may have its own mail server.

[0030] In prior art implementations, e-mail messages typically bear thedigital signature of the sender. In other words, when a message is sentfrom client 108 to client 110, the message bears the digital signatureof the user of client 108. When the message is forwarded from client 110to client 112, the forwarded message bears the digital signature of theuser of client 110. Therefore, the user of client 112 can onlyauthenticate the message with respect to the user of client 110. Even ifthe user of client 112 trusts the user of client 110, there is no way inthe prior art to authenticate the originator of the forwarded message.

[0031] In accordance with a preferred embodiment of the presentinvention, each client executes e-mail client software that augments thee-mail message header with a list of digital signatures representing thechain of contributors in an e-mail. The list is appended every time ane-mail message is forwarded. The header may also encode the actualcontributions corresponding to each digital signature. For example, whena user forwards a message and includes a contribution, the beginningbytes and length of the contribution are associated with that user'sdigital signature in the header. However, other methods of associatingthe contribution with the digital signature may be used, such as markingup the actual message content. Furthermore, an attachment filename mayalso be associated with a user that attaches a file in a forwardedmessage.

[0032] With reference to FIGS. 4A and 4B, pictorial representations ofexample network data processing systems are shown in accordance with apreferred embodiment of the present invention. Particularly, withrespect to FIG. 4A, a network data processing system contains Internet402, which is the medium used to provide communications links betweenvarious devices and computers connected together within the network dataprocessing system. Client 1 404 communicates with mail server 1 406through Internet 402 to send and receive mail. Similarly, client 2 408communicates with mail server 410 and client 3 412 communicates withmail server 3 414.

[0033] Person 1 uses client 1 to composes message 420 and sends themessage to person 2 at client 2. Mail message 420 bears digitalsignature 422 for person 1 and includes the contribution of person 1.The mail message is transferred by sending the message from client 1 tomail server 1. Mail server 1 then transfers the message to mail server2. Person 2 may then retrieve the mail message as message 424 from mailserver 2 using client 2. Person 2 may then authenticate the digitalsignature of person 1 in a known manner.

[0034] Person 2 may then make a contribution and forward the message.When person 2 forwards message 424 to person 3, the mail client softwarerunning on client 2 appends digital signature 426 of person 2 to message424 and includes a contribution of person 2 before transferring themessage to mail server 2. Mail server 2 then transfers the message tomail server 3, where it may be delivered to client 3.

[0035] When person 3 retrieves the message as message 428 from mailserver 3, the message includes in the header digital signatures 430.These digital signatures include the digital signature for person 1 andthe digital signature for person 2. The message body includes thecontribution of person 1 and the contribution of person 2. The headermay also encode the actual contributions corresponding to each digitalsignature, as stated above.

[0036] In an alternative embodiment, when person 2 forwards message 424,the message from person 1 is included as attachment. Thus, when person 3retrieves message 428, the message includes attachment 432 includingmessage 434 from person 1. The header may then associate the digitalsignature of person 1 with the attachment. Therefore, the digitalsignature for person 2 may be verified with respect to message 428 andthe digital signature for person 1 may be verified with respect tomessage 434.

[0037] Turning now to FIG. 4B, an example is shown in which anattachment is added in a forwarded message. Person 1 uses client 1 tosend message 440 to person 2 at client 2. Mail message 440 bears digitalsignature 442 for person 1 and includes a contribution of person 1.Person 2 receives the message as message 444 and may then authenticatethe digital signature of person 1. When person 2 forwards message 444 toperson 3, the mail client software running on client 2 appends digitalsignature 446 of person 2 to message 444 before transferring the messageto mail server 2. Person 2 may include attachment 448 in message 444.The mail client software running on client 2 then includes thecontribution of person 2, including the file attachment, and associatesthe attachment filename with the digital signature for person 2. Mailserver 2 then transfers the message to mail server 3, where it may bedelivered to client 3.

[0038] When person 3 retrieves the message as message 450 from mailserver 3, the message includes in the header digital signatures 452.These digital signatures include the digital signature for person 1 andthe digital signature for person 2. The header may also encode theactual contributions corresponding to each digital signature.Particularly, the header associates the attachment filename with thedigital signature for person 2. Thus, person 3 may authenticate thedigital signature for person 2 before opening the attachment.Furthermore, even if person 3 forwards the message to another person,the attachment remains associated with the digital signature for person2.

[0039] The contributions may also be encoded within the header, such asby indicating a beginning location and a length of a contribution.Alternatively, contributions may be encoded within the body of themessage, such as through journaling techniques or tools for trackingedits similar to those in word processing applications. For example, amail client application may track changes made by each user and displaythe changes for each person using a different color.

[0040] With reference to FIG. 5, a block diagram of the functionalcomponents of a client device is shown in accordance with a preferredembodiment of the present invention. The client device includescommunications interface 510 that is used to communicate with a mailserver to send and receive mail messages. The system also includes mailclient 520 for presenting, organizing, and composing mail messages. Mailclient 520 includes mail forwarding manager 522. The mail forwardingmanager allows the user to forward mail messages and to verify forwardedmail messages that are received. Digital signatures are verified usingsignature verification mechanism 530.

[0041] Controller 540 controls the overall operation of the clientdevice. Controller 540 sends and receives data through communicationsinterface 510 and controls the operation of mail client and thesignature verification mechanism to carry out the functions of thepresent invention. The elements of the functional block diagram of FIG.5 may be implemented as hardware, software, or a combination of hardwareand software components. In a preferred embodiment, the functionalelements shown in FIG. 5 are implemented as software instructionsexecuted by one or more of the hardware elements shown in FIG. 3.

[0042] With reference to FIG. 6, a flowchart is depicted illustratingthe operation of a mail client sending a message in accordance with apreferred embodiment of the present invention. The process begins when amail message is being sent. A determination is made as to whether themail is forwarded mail (step 602). If the mail is forwarded mail, theprocess appends the digital signature of the sender to the messageheader (step 604) and associates the current contribution with thedigital signature of the sender (step 606).

[0043] Next, a determination is made as to whether an attachment isadded (step 608). If an attachment is not added, the process sends themail message (step 610) and ends. If an attachment is added in step 608,the process associates the attachment filename with the digitalsignature of the sender in the header (step 612). Then, a determinationis made as to whether the attachment is the last attachment (step 614).If the attachment is the last attachment, the process sends the mailmessage (step 610) and ends. If the attachment is not the lastattachment, the process returns to step 612 to associate the nextattachment filename with the digital signature of the sender in theheader.

[0044] Returning to step 602, if the mail message is not forwarded mail,the process includes the digital signature of the sender in the header(step 616) as known in the art. Thereafter, the process proceeds to step608 to determine whether an attachment is added. Thus, the presentinvention may associate an attachment filename with the sender even ifthe message is not a forwarded mail message. This allows any fileattachments to be associated with the sender if the message is forwardedby any of the recipients.

[0045] With reference now to FIG. 7, a flowchart depicting the operationof a mail client receiving a message is shown in accordance with apreferred embodiment of the present invention. The process begins andreceives a mail message (step 702). The process then verifies thedigital signatures in the header (step 704). A determination is made asto whether the signatures are verified (step 706). If the digitalsignatures are approved, the mail client opens the mail message (step708) and ends. However, if the digital signatures are not verified instep 706, the process gives the user the option to accept the digitalsignature or delete the mail message (step 710) and ends.

[0046] Thus, if the user knows and trusts the person associated with thedigital signature, the user may accept the digital signature to be addedto the trusted list. However, if the user does not recognize or trustthe person, the user may simply delete the e-mail without being exposedto its content.

[0047] The signatures may be verified by checking the authenticity ofthe signatures themselves. Furthermore, a user may not trust a senderand the mail message may not be verified, because one of the senders inthe chain is not trusted. Still further, the forwarded mail message mayinclude content for which there is no associated digital signature. Forexample, a mail message may include an attachment, the filename of whichis not associated with a digital signature. Such a mail message wouldfail verification.

[0048] Turning now to FIG. 8, a flowchart illustrating the operation ofa process for filtering out unwanted messages is shown in accordancewith a preferred embodiment of the present invention. The process beginsand receives a mail message (step 802). Next, the process compares thenumber of digital signatures in the header to a threshold (step 804) anda determination is made as to whether the number of signatures exceedsthe threshold (step 806). If the number of signatures does not exceedthe threshold, the process delivers the mail to the user's mailbox (step808) and ends. If the number of signatures exceeds the threshold in step806, the process discards the mail message (step 810) and ends.

[0049] The threshold may be selected by a user. For example, asubscriber to the mail server may determine that a mail message that hasbeen forwarded fifty or more times, for instance, is likely to be ane-mail chain letter.

[0050] Thus, the present invention solves the disadvantages of the priorart by providing a mechanism for augmenting the mail header of a messagewith a list of digital signatures representing the chain of contributorsto the message. The augmented header may also encode the actualcontributions corresponding to each digital signature. The list isappended every time a message is forwarded. If a message has a portionwith no corresponding digital signature or if one or more of the digitalsignatures is not trusted, the user may handle the message accordingly.Furthermore, a mail server or client may discard a message if the numberof digital signatures exceeds a threshold to filter out unwantedmessages, such as e-mail chain letters.

[0051] It is important to note that while the present invention has beendescribed in the context of a fully functioning data processing system,those of ordinary skill in the art will appreciate that the processes ofthe present invention are capable of being distributed in the form of acomputer readable medium of instructions and a variety of forms and thatthe present invention applies equally regardless of the particular typeof signal bearing media actually used to carry out the distribution.Examples of computer readable media include recordable-type media, suchas a floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs, andtransmission-type media, such as digital and analog communicationslinks, wired or wireless communications links using transmission forms,such as, for example, radio frequency and light wave transmissions. Thecomputer readable media may take the form of coded formats that aredecoded for actual use in a particular data processing system.

[0052] The description of the present invention has been presented forpurposes of illustration and description, and is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art. The embodiment was chosen and described in order to bestexplain the principles of the invention, the practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated.

What is claimed is:
 1. A method for forwarding a message, comprising:receiving a message from a first user at a computer of a second user,wherein the message has attached thereto a first digital signaturecorresponding to the first user; attaching to the message a seconddigital signature corresponding to the second user; and forwarding themessage to a third user.
 2. The method of claim 1, further comprising:identifying a contribution made by the second user; and associating thecontribution made by the second user with the second digital signature.3. The method of claim 2, wherein the contribution comprises a fileattachment and the method further comprises associating a filename ofthe file attachment with the second digital signature.
 4. The method ofclaim 1, wherein the step of forwarding the message comprises forwardingthe message as an attachment and the step of associating comprisesassociating the attachment with the first digital signature.
 5. A methodfor receiving a forwarded message, comprising: receiving a message at acomputer of a third user, wherein the message was sent from a first userto a second user and subsequently forwarded to the third user, andwherein the message has attached thereto a first digital signaturecorresponding to the first user and a second digital signaturecorresponding to the second user; verifying the first digital signatureand the second digital signature; and opening the message if the firstdigital signature and the second digital signature are approved.
 6. Themethod of claim 5, wherein the step of verifying the first digitalsignature and the second digital signature comprises: comparing thefirst digital signature and the second digital signature to a list oftrusted digital signatures; and approving the first digital signatureand the second digital signature if they are in the list of trusteddigital signatures.
 7. The method of claim 6, further comprising:denying the first digital signature or the second digital signature ifit is not in the list of trusted digital signatures; prompting the thirduser to accept the denied digital signature; and adding the denieddigital signature to the list of trusted digital signatures if the useraccepts the denied digital signature.
 8. The method of claim 6, furthercomprising deleting the message if the first digital signature or thesecond digital signature is not approved.
 9. The method of claim 5,further comprising: attaching to the message a third digital signaturecorresponding to the third user; and forwarding the message to a fourthuser.
 10. A method for receiving a forwarded message, comprising:receiving a message, wherein the message was forwarded by a plurality ofusers, and wherein the message has attached thereto digital signaturescorresponding to each of the plurality of users; determining the numberof users in the plurality of users; comparing the number to a threshold;and discarding the message if the number exceeds the threshold.
 11. Anapparatus for forwarding a message, comprising: receipt means forreceiving a message from a first user at a computer of a second user,wherein the message has attached thereto a first digital signaturecorresponding to the first user; attachment means for attaching to themessage a second digital signature corresponding to the second user; andforwarding means for forwarding the message to a third user.
 12. Theapparatus of claim 11, further comprising: identification means foridentifying a contribution made by the second user; and associationmeans for associating the contribution made by the second user with thesecond digital signature.
 13. The apparatus of claim 12, wherein thecontribution comprises a file attachment and the association meanscomprises means for associating a filename of the file attachment withthe second digital signature.
 14. The apparatus of claim 11, wherein theforwarding means comprises means for forwarding the message as anattachment and the association means comprises means for associating theattachment with the first digital signature.
 15. A apparatus forreceiving a forwarded message, comprising: receipt means for receiving amessage at a computer of a third user, wherein the message was sent froma first user to a second user and subsequently forwarded to the thirduser, and wherein the message has attached thereto a first digitalsignature corresponding to the first user and a second digital signaturecorresponding to the second user; verification means for verifying thefirst digital signature and the second digital signature; and openingmeans for opening the message if the first digital signature and thesecond digital signature are approved.
 16. The apparatus of claim 15,wherein the verification means comprises: comparison means for comparingthe first digital signature and the second digital signature to a listof trusted digital signatures; and approval means for approving thefirst digital signature and the second digital signature if they are inthe list of trusted digital signatures.
 17. The apparatus of claim 16,further comprising: means for denying the first digital signature or thesecond digital signature if it is not in the list of trusted digitalsignatures; means for prompting the third user to accept the denieddigital signature; and means for adding the denied digital signature tothe list of trusted digital signatures if the user accepts the denieddigital signature.
 18. The apparatus of claim 16, further comprisingmeans for deleting the message if the first digital signature or thesecond digital signature is not approved.
 19. The apparatus of claim 15,further comprising: means for attaching to the message a third digitalsignature corresponding to the third user; and means for forwarding themessage to a fourth user.
 20. A apparatus for receiving a forwardedmessage, comprising: receipt means for receiving a message, wherein themessage was forwarded by a plurality of users, and wherein the messagehas attached thereto digital signatures corresponding to each of theplurality of users; determination means for determining the number ofusers in the plurality of users; comparison means for comparing thenumber to a threshold; and discarding means for discarding the messageif the number exceeds the threshold.
 21. An e-mail client, comprising:means for augmenting a header of an e-mail message with a list ofdigital signatures representing the chain of contributors in the e-mailmessage; and means for sending the e-mail message to an e-mail server.22. A computer program product, in a computer readable medium, forforwarding a message, comprising: instructions for receiving a messagefrom a first user at a computer of a second user, wherein the messagehas attached thereto a first digital signature corresponding to thefirst user; instructions for attaching to the message a second digitalsignature corresponding to the second user; and instructions forforwarding the message to a third user.
 23. A computer program product,in a computer readable medium, for receiving a forwarded message,comprising: instructions for receiving a message at a computer of athird user, wherein the message was sent from a first user to a seconduser and subsequently forwarded to the third user, and wherein themessage has attached thereto a first digital signature corresponding tothe first user and a second digital signature corresponding to thesecond user; instructions for verifying the first digital signature andthe second digital signature; and instructions for opening the messageif the first digital signature and the second digital signature areapproved.
 24. A computer program product, in a computer readable medium,for receiving a forwarded message, comprising: instructions forreceiving a message, wherein the message was forwarded by a plurality ofusers, and wherein the message has attached thereto digital signaturecorresponding to each of the plurality of users; instructions fordetermining the number of users in the plurality of users; instructionsfor comparing the number to a threshold; and instructions for discardingthe message if the number exceeds the threshold.